Michael Krax discovered that ht://Dig fails to validate the
'config' parameter before displaying an error message containing the
parameter. This flaw could allow an attacker to conduct cross-site
scripting attacks.

By sending a carefully crafted message, an attacker can inject and
execute script code in the victim's browser window. This allows to
modify the behaviour of ht://Dig, and/or leak session information such
as cookies to the attacker.